Diagnosis of Dense-Time Systems Under Event and Timing Masks

870 IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 7, NO. 4, OCTOBER 2010

Diagnosis of Dense-Time Systems UnderEvent and Timing Masks

Songyan Xu, Shengbing Jiang, and Ratnesh Kumar, Fellow, IEEE

Abstract—We study diagnosis of timed discrete-event systems(TDESs) modeled as timed-automata. Earlier works on diagnosisof TDESs assumed that a diagnoser has partial observation ofevents but can measure (or observe) time with arbitrary preci-sion. In practice, however, time can only be measured with finiteprecision. We model the finite precision observability of timeusing a digital-clock that measures time discretely by executingticks. For the diagnosis purposes, the set of nonfaulty timed-tracesis specified as another timed-automaton that is deterministic,generalizing the forms of nonfaulty specifications considered inthe earlier works. We show that the set of timed-traces observedusing a digital-clock with finite precision is regular, i.e., can berepresented using a finite (untimed) automaton. We show that theverification of diagnosability (ability to detect the execution of afaulty timed-trace within a bounded time delay) as well as theoffline synthesis of a diagnoser are decidable by reducing theseproblems to the untimed setting. The reduction of the diagnosisproblem to the untimed setting also suggests an effective methodfor the offline computation of a diagnoser as well as its onlineimplementation for diagnosis.

Note to Practitioners—Diagnosis is needed to detect the oc-currence of a fault so as to enable any corrective actions. Forevent-driven systems with timing-requirements, diagnosis involvesdetecting the timing-faults, besides the sequence-faults. Thisrequires monitoring timing and sequence of events, both of whichmay only be partially observed in practice. This paper extendsthe prior work by allowing time to be partially observed (using adigital clock which measures the advancement of time with finiteprecision by the execution of ticks), and provides a conditionunder which faults can be detected within a bounded time delay.It is shown that the diagnosis problem can be transformed to oneof untimed setting, and so the existing techniques from untimedsetting can be applied.

Index Terms—Dense-time systems, diagnosis, digital-clock, dis-crete-event systems , timed-automaton.

I. INTRODUCTION

D IAGNOSIS of discrete-event systems requires detectingthe occurrence of a fault, i.e., the execution of an ab-

normal behavior, from the observations of the system behavior.

Manuscript received May 26, 2009; revised December 02, 2009; acceptedFebruary 14, 2010. Date of publication June 21, 2010; date of current versionOctober 06, 2010. This paper was recommended for publication by AssociateEditor M. P. Fanti and Editor Y. Narahari upon evaluation of the reviewers’comments. This work was supported in part by the National Science Foundationunder the Grant NSF-ECS-0601570, Grant NSF-ECCS-0801763, Grant NSF-CCF-0811541, and Grant NSF-ECCS-0926029.

S. Xu and R. Kumar are with the Department of Electrical and ComputerEngineering, Iowa State University, Ames, IA 50011 USA (e-mail: [email protected]; [email protected]).

S. Jiang is with Research and Development and Planning, General Motors,Warren, MI 48090-9055 USA (e-mail: [email protected]).

Digital Object Identifier 10.1109/TASE.2010.2049841

In [7] and [14], the notion of diagnosability, which requires theoccurrence of a fault be detected within a bounded time delay,has been examined. A stronger notion of state-observability wasexamined in [11]. Diagnosis of discrete-event systems in the de-centralized setting was reported in [4] and [12], in the distributedsetting in [13], in the Petri Net setting in [5], and in the temporallogic setting in [8].

The above cited works explore diagnosis of untimed discrete-event systems. However, real-time applications possess timingproperties (such as latency), and their correctness depends notonly on the correctness of the sequence of events executed, butalso on the correctness of the event occurrence times.

There has been some research on diagnosis of timed dis-crete-event systems (TDESs), including diagnosis in the dis-crete-time setting [17] and in the dense-time setting [3], [6],[15]. Fault diagnosis of dense-time models was first examined in[15]. It was assumed that while a diagnoser has partial observa-tion of events, it is able to measure time perfectly. It was shownthat the verification of diagnosability in this setting is decidableand online diagnosis can be effectively performed, whereas nocomments were made about the offline synthesis of a diagnoser.The fault diagnosis of timed-automata under partial observationof events and perfect observation of time was also studied in[3]. The main focus was on the synthesis of diagnosers whichare realizable as deterministic timed-automata.

The following example illustrates that a system, that is diag-nosable under the assumption that time is measured precisely,may become undiagnosable when time can only be measuredwith some finite precision.

Example 1: Consider the timed automaton model shownin Fig. 1, in which is an unobservable faulty event, and is anunobservable nonfaulty event. It can be checked that this systemis diagnosable if time could be measured with arbitrary preci-sion. Suppose time could be measured with only a finite preci-sion, say using a digital clock that ticks every one unit of time.Then, is no longer diagnosable. This is because a faulty trace

cannot be distinguished from a nonfaulty trace, both of which produce the same observation,

namely, “tick” followed by .This motivates us to study the diagnosis problem of dense-

time discrete-event systems in which digital-clocks with finiteprecision are used to measure the event occurrence times, andwe show that the set of timed-traces of a dense timed-automatonobserved using a finite precision digital-clock is regular, i.e., canbe represented using a finite (untimed) automaton. We show thatthe verification of diagnosability (ability to detect the executionof a faulty timed-trace within a bounded time delay) as well asthe offline synthesis of a diagnoser are decidable by reducing

1545-5955/$26.00 © 2010 IEEE

XU et al.: DIAGNOSIS OF DENSE-TIME SYSTEMS UNDER EVENT AND TIMING MASKS 871

Fig. 1. Timed automaton model of a discrete-event system.

these problems to the untimed setting. The reduction of the di-agnosis problem to the untimed setting also suggests an effectivemethod for the offline computation of a diagnoser as well as itsonline implementation for diagnosis.

The diagnosis of dense-time systems using digital-clocksto measure time was first studied in our earlier conferencepaper [9]. The present paper is based on the conference versionand improves by correcting the errors and providing completeproofs. The same problem was later independently studied in[1]. The authors of [1] additionally studied the existence of adigital-clock that ensures the diagnosability of a dense-timesystem, whereas we additionally study the diagnosis problemwhere fault is specified more generally, namely as the violationof a real-time specification language. The other differences areas below: (i) We explicitly define the notion of timing-mask,which captures nondeterminism of the untimed observations ofa timed trace as observed using a digital-clock explicitly. (ii) Wepoint out that the set of behaviors of a dense-time discrete-eventsystem observed by employing a digital-clock for the measure-ment of time is not prefix-closed. This is owing to the fact thatplant events and digital-clock ticks can occur simultaneously.The non-prefix-closure of the set of observed behaviors wasnot noticed in [1]. (iii) We establish an equivalence betweendiagnosability of a timed DES employing a digital clock toobserve event occurrence times and that of an untimed DES.Therefore the diagnosis problem in the dense-time setting canbe solved by reduction to the untimed setting. In particular thissuggests an algorithm to construct a diagnoser when the givensystem is diagnosable. In contrast, no algorithmic method toconstruct a diagnoser when a given system is diagnosable isdescribed in [1].

II. NOTATIONS AND PRELIMINARIES

Let denote a set of nonnegative real numbers, denotea set of events, and denote the identity of concatenation. Atimed-trace over is a sequence ,where for , ; for ,

and ; and . Its corre-sponding untimed-trace is denoted as .We use to denote the final time instant in . For

, . We denote the set of all timed-traces as .A subset of is called a timed-language. For a timed-language

we use to denote the set of all prefixes ofthe timed-traces belonging to . is said to be closed(relative to ) if .

Given , the operation is used to define the pro-

jection of a timed-trace over , and is inductively defined asfollows:

ifotherwise

where , , . Note that the concatenationequals for any and , and

so it can be concluded that .A timed-automaton is a tuple,

where:• is a finite set of discrete states.• is a finite set of events.• is a finite set of clocks.• is a set of transitions. Here,

is the set of clock constraints. A clock constraintis a Boolean formula over atomic constraints of the form

or , where ,, and is a rational constant. Each transition

is a tuple with being the source discretestate, being the event associated with the transition,being a clock constraint representing the guard conditionof the transition, being the set of clocks to be reset by thetransition, and being the destination discrete state.

• is the invariant function, which assigns in-variant conditions (belonging to ) to discrete states.

• is the set of initial states.• is the set of final states.A time assignment is a function assigning a

nonnegative real value to each clock. Constants may be addedto a time assignment: . defines atime assignment which maps each clock in to 0 and keepsall other clocks unchanged. Under this assignment we say thatthe clocks in are reset. We use to denote the time assignmentwhich maps every clock to 0.

A run of a timed-automaton over a timed-traceis a sequence of the form

with and the time assignments satisfying thefollowing requirements:

• Initialization: and .• Invariance: , ,

satisfies , where .• Consecution: ,

such that satisfies and; if , then there is a tuple

such thatsatisfies and , other-wise and .

A timed-automaton generates a finite timed-trace ifhas a run over ; it generates an infinite timed-trace if it gen-erates all finite prefixes of . A generated finite timed-traceis accepted by if a corresponding run over ends in a final


state in ; an infinite timed-trace is accepted by if a cor-responding run over visits the set of final states infinitelyoften. The timed language generated (marked) by , denotedby , (resp., ) is the set of all the timed-traces gen-erated (marked) by . The generated untimed language of isdenoted by . Similarly, themarked untimed language of is denoted by

. Given timed-automata and ,is said to be closed relative to if

.From [2], we have the following result.Theorem 1: [2] The marked untimed language

of a timed-automaton is regular.An untimed-automaton can be considered as a special timed-

automaton in which all the clock constraints and invariants arealways “true.”. An untimed-automaton over an event setcan be represented as where , , , and

have the same meanings as in a timed-automaton, and theset of transitions satisfies: .

Let andbe two timed-automata. As-

sume without loss of generality that the clock sets andare disjoint. Their product is a timed-automaton

,where and the transition set isdefined by:

1) , ,, we have

.2) , , , we

have .3) , , , we

have .Next we introduce the notions of nonspeedingness (also

called nonzenoness) and nonslowingness. The former requiresthat too many transitions shall not occur in a short time interval,whereas the latter requires that too few transitions shall notoccur in a long time interval.

Definition 1: An infinite timed-traceis said to be nonspeeding or nonzeno if for every interval

exists a count such that

is said to be uniformly nonspeeding if is independent of. A timed language is said to be (uniformly) nonspeeding if all

its infinite timed-traces are (uniformly) nonspeeding. A timed-automaton is (uniformly) nonspeeding if its generated timed-language is (uniformly) nonspeeding.

Let be a set of natural numbers. An infinite timed-traceis said to be nonslowing if for every

count set exists aninterval such that

is said to be uniformly nonslowing if is independent of. A timed language is said to be (uniformly) nonslowing if its

each finite timed-trace possesses an infinite timed-trace exten-sion, and its each infinite timed-trace is (uniformly) nonslowing.A timed-automaton is (uniformly) nonslowing if its generatedtimed-language is (uniformly) nonslowing.

For a nonslowing timed-language , it holds that for each, exists such that . In the following,

we assume that a system model is nonspeeding by default.Next we introduce the notion of partial observation of events.

Let be an event observation maskwith , where is the set of observed symbols. An un-timed-trace is observed through the event-mask

as . Given an untimed language, where is the set of all finite length event-traces

including the zero-length event-trace , the event-masked lan-guage is defined by . Notethat time is fully observable under an event mask, therefore atimed-trace is observed through anevent-mask as . Givena timed language , the event-masked language isdefined by .

To introduce the faults, let be theset of fault types, be the fault-type assignmentfunction for each event, where means is a nonfaultyevent, otherwise is a faulty event and is the set of faulttypes associated with . Hereafter, when we write that “a fault oftype has occurred”, it will mean that some faulty event with

has occurred. For an untimed-trace , iffor some event in the trace, , thenwe say that a fault of type has occurred in , and denote it as

.The definition of diagnosability for untimed discrete-event

systems is given below.Definition 2: A language is said to be diagnosable

with respect to an event mask and a fault assignment functionif the following holds:

A discrete-event system is said to be diagnosable if its markedlanguage is diagnosable.

Definition 2 states that an untimed system is diagnosableif the execution of any faulty event can be detected within abounded delay (bounded number of transitions) from the obser-vations of the system behavior (i.e., no nonfaulty behavior canproduce the same observation). Polynomial algorithms for thetest of the above diagnosability and the synthesis of the onlinediagnoser can be found in [7], [16], and in [10], respectively.

In the following, we define the behavior of a dense timed-automaton when the event occurrence times are measured usinga digital-clock of finite precision that measures time discretelyby generating ticks.

We first give the definition of a digital-clock.Definition 3: A digital-clock is modeled by a nonspeeding

and nonslowing timed-automaton


in which at any given time at most one tick event canoccur.

Next, we introduce the notion of timing-mask associated witha digital-clock.

Definition 4: Given a digital-clock , the timing-maskassociated with is defined as follows: for a timed-trace

where and for all . Thetiming-masked generated (marked) language of a timed-au-tomaton , denoted by

, consists of allthe timing-masked observations of the timed-traces generated(marked) by .

In the definition above, , denotes the numberof ticks that can occur in the interval (where ).Note it is possible that the occurrence of a tick coincides withthat of an event of the timed-trace . Then, according to theinterleaving semantics, this is observed either as followed bythe tick, or as the tick followed by . The timing-mask functionincludes the both possibilities. In particular it is possible that atick transition occurs at the last event occurrence time , and so(following the interleaving semantics) the observation of canconsist of a single tick after the last event .

Remark 1: consists of all the untimed observations ofa timed-trace in which dense-time is measured using a digital-clock . Since the number of ticks generated in any time intervalcan vary from execution to execution, timing-mask is ingeneral nondeterministic.

Note a tick event may occur simultaneously with an event. Thereby a timing-masked language need not be

prefix-closed (although is prefix-closed). For instance, givenand a digital-clock which ticks every one time

unit, then , whereas.

In light of Theorem 1, it can be shown that the prefixof the timing-masked generated language of a densetimed-automaton is regular, i.e., given a timed-automaton

and a digital-clock timed-automaton , it holds that. When plant-events

and ticks don’t coincide, is the same as, and thus is regular. The more general case,

where plant-events and ticks can occur simultaneously, requiresfurther refinement of by introducing certain markedlocations since simultaneous events are represented using theirinterleaving in a language-based semantics, which implies thatthe timing-masked language is not prefix-closedgenerally. This refinement is presented in the Appendix at theend of this paper.

The regularity of a timing-masked generated/marked lan-guage is established next.

Theorem 2: Given a timed-automaton and a digital-clocktimed-automaton , let be the timing-mask associated with

. Then, are regular un-timed languages.

III. DIAGNOSIS UNDER EVENT AND TIMING MASKS

In this section, we study the fault diagnosis problem ofTDEssmodeled by timed-automata with both timing and event obser-vation masks. Recall that the timed-language to be diagnosedis generated by a plant and hence is prefix-closed. Similarly, anonfaulty specification language is also prefix-closed.

Let be the timing-mask associated with a digital-clock .The observation of trace through both timing and event masksis denoted as , where

has the form of since “tick”event is observable through the event observation mask , i.e.,

, and we have . The eventand timing masked (generated) language of a timed-automaton

is denoted by .Now, we give the definition of diagnosability in the timed

setting.Definition 5: A timed language is said to be diagnosable

with respect to the timing-mask , the event-mask and thefault assignment function if the following holds:

A dense-time system is said to be diagnosable if its markedtimed language is diagnosable.

Definition 5 states that a timed system is diagnosable if theexecution of any faulty event can be detected within a boundedtime delay from the event and timing-mask observations of thesystem (i.e., no nonfaulty behavior can produce the same obser-vation).

In the following, we show that the diagnosis problem ofdense-time systems with both timing and event observationmasks can be reduced to the diagnosis problem of untimedsystems with only event observation mask. To establish theequivalence between the diagnosabilities of a timed languageand its timing-masked language, the following simple lemmais needed.

Lemma 1: For any timed-trace , if and only if, where .

Lemma 1 can be obtained by following from the fact that atiming mask does not mask the the events (rather their timings).

Next, we show that the diagnosability of a timed language isequivalent to the diagnosability of its timing-masked language.

Theorem 3: Let be a prefix closed and uniformly non-speeding timed language, be a uniformly nonspeeding andnonslowing digital-clock, be the timing-mask associatedwith digital-clock , be the event-mask, and be thefault assignment function. is diagnosable with respect totiming-mask , event-mask and fault assignment func-tion if and only if its timing-masked language isdiagnosable with respect to the event mask and the faultassignment function .


Proof: For the sufficiency, suppose is diagnos-able, i.e., for any , there exists a s.t. Definition 2 issatisfied. Since is uniformly nonslowing, there exists aninterval s.t. the number of ticks generated duringthe interval is at least . Pick a faulty trace

with , an extended tracewith

and a trace s.t. , weneed show .

From and ,there exist ,

,and

s.t. and for ,. Also, . The

following four cases need to be considered.Case 1: . Then, ,

and . Note that is uniformlynonslowing, , and so

.Similarly, for Case 2: , Case 3: , ,

and Case 4: , , it can obtained that.

In each case, , (from Lemma 1),and . Note that is

diagnosable, , and so we have , as desired.For the necessity, suppose is diagnosable, i.e., for any, there exists a s.t. Definition 5 is satisfied. Since

and are uniformly nonspeeding, there exist ands.t. the interval for generating (resp., ) number ofevents by (resp., ) is at least . Pick a faulty trace

with , an ex-tended trace with

and a trace s.t.. We need show .

From , there exist,

and s.t. , ,and , and there ex-ists s.t.

for . Also, we haveif ;

if , or, ; if

. Note . The following four casesneed be considered.

Case 1: . Then, ,. From , either

(resp., , )if (resp., , or , ,

) or . Note that is uni-formly nonspeeding, (if ) implies

; similarly, (if ,or , ) impliesor ; (if

) implies ; Note thatis uniformly nonspeeding, implies

.

Similarly, for Case 2: , Case 3: , ,and Case 4: , , it can obtained that .

In each case, , (from Lemma 1),and .

Note that is diagnosable, , and so we have , asdesired.

Remark 2: It follows from Theorems 3 that the diagnosisproblem of dense-time systems with respect to both timingand event observation masks can be reduced to the diagnosisproblem of untimed discrete-event systems. Thus, the resultsfor the diagnosis of untimed discrete-event systems like [7],[10], [16] can be applied for the test of diagnosability and thesynthesis of online as well as offline diagnoser.

Example 2: Consider the model of an air conditioning (AC)unit along with its environment as shown in Fig. 2(a). Whenthe environment temperature is “Hot,” the AC unit is switchedon within one unit of time, transmitting to “On” state. From thisstate either a transition to “Cool” state occurs within one unitof time, or the AC unit fails. In the former case, the AC unit isswitched off after it has been running for one unit of time. Whenthe AC unit is off, it can be switched on after the occurrence ofthe transition hot.

A diagnoser can observe all events except the event , whichrepresents the fault of the AC unit. Fig. 2(b) depicts the modelof a digital clock that generates the tick events observed bythe diagnoser to keep track of the passing of time. The durationbetween two successive tick events is one unit of time. The cor-responding clock regions are shown in Fig. 2(c). Fig. 2(d) showsthe composed automaton . It can be checked that the ACunit is uniformly nonspeeding and the clock is uniformlynonspeeding and nonslowing.

From Theorem 3, the diagnosability of the AC unitunder the event and timing masks can be checked by checkingthe diagnosability of its (untimed) timing-masked language

under only the event mask. We first obtain theacceptor for the language by constructing therefined region-automaton according to Algorithm 1. Next, wecheck the diagnosability of the untimed languageusing a known algorithm (see Remark 2). A partial refinedregion-automaton, sufficient to check the diagnosability of

is shown in Fig. 2(e). (The sequence of transitionsstarting from the AC unit state “Off” is omitted since it is notrelevant to diagnosability analysis.) From Fig. 2(e), it can beverified that if a fault occurs after the occurrence of on,then all future transitions are tick transitions (since no eventis executable at the “Fault” state). On the other hand if a faultdoes not occur after the occurrence of on, then the cool event isobserved following at most one tick transition . It follows that

is diagnosable with delay bound . So fromTheorem 3, is also diagnosable. This can be indepen-dently verified by choosing delay-bound : If followingthe observation of on, the cool event is not observed within 1unit of time, then we can conclude that a fault has occurred.

IV. DIAGNOSIS WITH DENSE-TIME SPECIFICATION

In this section, we study the diagnosis problem where onedense timed-automaton is given as the system model and an-other dense timed-automaton as the specification model which


Fig. 2. Models of the AC unit and digital-clock.

specifies the nonfaulty behavior. The task of diagnosis is to di-agnose any faulty behavior of the system (with respect to thespecification) within a bounded delay of its occurrence in thepresence of both timing and event masks. This notion of diag-nosability is captured by the following definition.

Definition 6: Given a timed system, a specification

closed relative to , the timing mask , and the eventmask , is said to be diagnosable with respect toand if the following holds:

Definition 6 states that a timed system and a specification ofits nonfaulty behaviors are diagnosable if any violation of thegiven specification can be detected within a bounded time delayfrom the event and timing-mask observations of the systembehavior (i.e., no nonfaulty behavior can produce the sameobservation).

For any deterministic specification , the above diagnosisproblem of a pair of timed-automata can be converted to the di-agnosis problem of a single timed-automaton with a faulty eventas defined in Definition 5. For this, we first complete the specifi-cation by adding a state and all the missing transitions.The resulting completed specification model is denoted as .Next, we introduce in a faulty event , whose occurrence in-dicates the execution of a behavior violating the given specifica-tion. The resulting refined completed specification is denoted as

. Then, we reduce the diagnosis problem of the pair

to that of the system . Note a nonfaulty specification canalways be accepted by a trim automaton, and we assume withoutloss of generality that is trim, so that .

The completed specification is constructed as follows.,

where , , , and theset of added transitions is defined as

• , , if there are outgoing tran-sitions from labeled with , and let bethe set of guard conditions associated with those transi-tions, then ; otherwise

.• , .It is obvious that accepts any timed-trace over the event

set and if a timed-trace leads to the state , then thattrace is not marked by (when is deterministic), in whichcase it indicates a fault. In order to represent such fault usinga faulty event, we: (i) “split” the state into and

states; (ii) make all self-loop transitions of as self-loop transitions of ; (iii) make all incoming nonself-looptransitions of as incoming transitions of ; and (iv)add an outgoing transition on from to .

The refined complete specification is defined as follows.

, where ,, , , and the

set of transitions is defined as:• , , if there are outgoing transi-

tions from labeled with , and let be theset of guard conditions associated with those transitions,then ; otherwise

.• , .• .


In the composed automaton , we have only one faulttype, i.e., , and the corresponding fault assignmentfunction is defined as and for any

. The faulty event is unobservable, i.e., . Alsonote , and so the faulty event occurs asynchronouslyin the composition (i.e., without the participation of ,whereas all other events occur synchronously) and immediatelyafter the occurrence a violation of the specification.

From the construction of , it can be proved thatis diagnosable according to Definition 6 if and only if isdiagnosable according to Definition 5. To show this, we needthe following lemmas.

Lemma 2: Given and deterministic and relative-closed ,it holds that and

.Proof: The first conclusion follows from the fact

.Next, we show the second conclusion. It follows

from the definition of synchronous composition that. To show the converse con-

tainment , pick . If, then . On the other hand, if

, then from the relative-closure ofand the fact (since is trim), we have

.Therefore, must reach the state in (since is deter-ministic). This implies that there exists such that

, and . Then, reaches the state , whichis a marked state of . Further since ,we have that . Thus, it can be concluded that

.Lemma 3: Given and deterministic relative-closed , any

contains the faulty event if and only if.

Proof: Pick with . From Lemma2, . Since contains the faulty event , theexecution of in reaches state . Since the projectedtrace only erases the faulty event, the execution ofreaches the state in . Therefore, con-tains the faulty event if and only if and itsexecution reaches the state in (i.e.,

, for is deterministic). Note ,then from the relative-closure property of , we have

, as desired.With Lemmas 2 and 3 in hand, we are ready to establish the

following theorem.Theorem 4: Given a system , a deterministic relative closed

specification , a timing mask , and an event mask ,is diagnosable with respect to and if and only

if is diagnosable with respect to , , and .

Proof: For the sufficiency, suppose is diagnosable,i.e., there exists such that Definition 5 is satisfied.Pick a trace , anextended trace with

, and such that. We need show .

Since , , from Lemma2 and 3, there exist s.t. ,

, , and contains the faulty event. Since the faulty transition occurs instantaneously (see the

construction of ), the last events in and occur at thesame times as the last events in and , i.e.,and . Thus, the last events and are separatedby at least the duration . Note that is unobservable under theevent-mask ,and . Note is diagnosable,

. Then, from Lemma 3, we have .For the necessity, suppose is diagnosable, i.e., there

exists such that Definition 6 is satisfied. Pick a faultytrace , where

and for some , an extended trace

with ,

and such that .We need show .

Since and , from Lemma 2and 3, there exist s.t. ,

, and .Since the projection only erases the faculty event whichoccurs instantaneously, the last events in and are separatedby the same duration as the last events in and , namely, byat least the duration . Note that is unobservable underevent-mask , and

. Note is diagnosable,. Then, from Lemma 3, we have .

The following example illustrates the equivalence betweenthe diagnosability of and that of .

Example 3: Consider the system and the deterministic rel-ative-closed specification as shown in Fig. 3. Suppose the dig-ital clock ticks with interval of one. From the specification ,we construct , and , which are shown in Fig. 3.

Suppose , , then is diagnosable.This is because the trace in , which violates the speci-fication , must be of the form with .Such a trace is observed as . On the other hand, the tracewith the same event observation and which satisfies the speci-fication is of the form with . Such a trace isobserved as for some . The conclusion about diag-nosability of can be drawn as well by comparing a faultytrace with and a nonfaulty trace with

.Now suppose , then becomes

undiagnosable. This is because a faulty trace cannot be distinguished from a nonfaulty trace . Bothproduce the same observation, . Similarly, is alsoundiagnosable since a faulty trace can not bedistinguished from a nonfaulty trace (both produce thesame observation, ).

V. CONCLUSION

This paper considered the diagnosis problem of TDESs wherethe system as well as the nonfaulty specification is modeledby a dense timed-automaton [2]. While it is meaningful for


Fig. 3. Automata of �� and �� .

a system as well as its specification of nonfaulty behavior tohave a dense-time semantics, it is not practical for a diagnoserto be able to measure dense-time precisely. An imprecision inmeasurement of time can be viewed as partial observability of“time” just as the presence of imprecise sensors leading to apartial observability of events. One observation we make is thatfor a diagnoser with access to a digital-clock modeled by adense-time automaton, the timing-masked behavior is regular.(This for example is the case for a digital-clock with finite-pre-cision and a finite-drift.) Another key observation we make isthat diagnosis of dense-time systems can be reduced to one ofuntimed systems.

APPENDIX

Given a plant and a digital-clock , the region au-tomaton can berefined to accept the non-prefix-closed language .This is done in two steps. First, the transitions ofare extended to include -labeled transitions to track thepassing of time. The resulting automaton is called an ex-tended region-automaton, denoted , and consistsof a tuple , where

:, ,

, where ( denotes the clock regions),is the immediate time-successor of for

and (resp., ) is the immediate time-successor of (resp.,).In the second step, an extended region automaton is further

refined to identify “event-pending” states and “tick-pending”states. Next, we introduce the notions of “forcing,” “tick-con-current,” and “pending” states.

Definition 7: Consider the extended region automaton. Let denote the set of events defined at

state of . is said to be:• forcing if ;• tick-concurrent if forcing and exists such that

;• tick-pending with respect to its predecessor if forcing

and such that is tick-concurrent and:— either all predecessors of are forcing;— or with forcing and

nonforcing;

• event-pending with respect to its predecessor if forcingand such that is tick-concurrent and:— either for any predecessor of ,

;— or with

nonforcing.Note any tick/event-pending state cannot be a final state if it

is reached along predecessors which render it a pending state(since some concurrently enabled transition is still pending tooccur), and so, each tick/event-pending state may be duplicatedto make another copy, which cannot be marked. This is formal-ized in the following algorithm.

Algorithm 1: Given a plant and a digital-clock ,the algorithm for constructing the refined region-automaton

, is presented asfollows.

1) Obtain the region-automaton .2) Obtain the extended region-automaton .3) Construct the states . :

• if and tick-pending, then:— if all predecessors of are forcing, ;— otherwise, ;

• if and event-pending such thatwith being tick-concurrent, then:

— if for any predecessor of ,, then ;

— otherwise, ;• otherwise, ;

4) Construct the transitions . :• if and tick-pending such that

with tick-concurrent, then:— if all predecessors of are forcing, then:

(resp.,) if (resp., );

— if with forcing andnonforcing, then:

(resp.,) if (resp., ), and

;• and event-pending such that

with being tick-concurrent, then:— if for any predecessor of ,

, then:;


— if withforcing (resp. nonforcing) and nonforcing, then:

(resp.;

• otherwise, (resp.,) if and (resp.,

);5) Construct the marked states .

iff .

REFERENCES

[1] K. Altisen, F. Cassez, and S. Tripakis, “Monitoring and fault-diag-nosis with digital clocks,” in Proc. Appl. Concurrency to System Design(ACSD’06), 2006, pp. 101–110.

[2] R. Alur and D. Dill, “A theory of timed automata,” Theoret. Comput.Sci., vol. 126, pp. 183–235, 1994.

[3] P. Bouyer, F. Chevalier, and D. D’Souza, “Fault diagnosis using timedautomata,” in Proc. 8th Int. Conf. Foundations of Softw. Sci. Comput.Structures (FoSSaCS’05), Edinburgh, U.K., 2005, pp. 219–233.

[4] R. Debouk, S. Lafortune, and D. Teneketzis, “Coordinated decentral-ized protocols for failure diagnosis of discrete event systems,” Dis-crete Event Dynamical Systems: Theory and Applications, vol. 10, pp.33–79, 2000.

[5] M. Dotoli, M. P. Fanti, A. M. Mangini, and W. Ukovich, “On-line faultdetection in discrete event systems by petri nets and integer linear pro-gramming,” Automatica, vol. 45, pp. 2665–2672, 2009.

[6] L. E. Holloway and S. Chand, “Distributed fault monitoring in man-ufacturing systems using concurrent discrete-event observations,” In-tegr. Comput.-Aided Eng., vol. 3, no. 4, pp. 244–254, 1996.

[7] S. Jiang, Z. Huang, V. Chandra, and R. Kumar, “A polynomial timealgorithm for diagnosability of discrete event systems,” IEEE Trans.Autom. Control, vol. 46, no. 8, pp. 1318–1321, Aug. 2001.

[8] S. Jiang and R. Kumar, “Failure diagnosis of discrete event systemswith linear-time temporal logic fault specifications,” IEEE Trans. Au-tomatic Control, vol. 49, no. 6, pp. 934–945, Jun. 2004.

[9] S. Jiang and R. Kumar, “Diagnosis of dense-time systems using digital-clocks,” in Proc. 25th Amer. Control Conf., Minneapolis, MN, Jun.2006, pp. 6051–6056.

[10] S. Jiang, R. Kumar, and H. E. Garcia, “Diagnosis of repeated/intermit-tent failures in discrete event systems,” IEEE Trans. Robot. Autom., vol.19, no. 2, pp. 310–323, 2003.

[11] C. M. Özveren and A. S. Willsky, “Observability of discrete eventdynamical systems,” IEEE Trans. Autom. Control, vol. 35, no. 7, pp.797–806, Jul. 1990.

[12] W. Qiu and R. Kumar, “Decentralized failure diagnosis of discreteevent systems,” IEEE Trans. Syst., Man, Cybern.—A, vol. 36, no. 2,pp. 384–395, Mar. 2006.

[13] W. Qiu, R. Kumar, and S. Jiang, “On decidability of distributed di-agnosis under unbounded-delay communication,” IEEE Trans. Autom.Control, vol. 52, pp. 114–116, Jan. 2007.

[14] M. Sampath, R. Sengupta, S. Lafortune, K. Sinaamohideen, and D.Teneketzis, “Diagnosability of discrete event systems,” IEEE Trans.Autom. Control, vol. 40, no. 9, pp. 1555–1575, Sep. 1995.

[15] S. Tripakis, “Fault diagnosis for timed automata,” in Formal Techniquesin Real Time and Fault Tolerant Systems. Berlin, Germany: Springer-Verlag, 2002, vol. 2469, Lecture Notes in Computer Science.

[16] T. S. Yoo and S. Lafortune, “Polynomial-time verification of diag-nosability of partially observed discrete-event systems,” IEEE Trans.Autom. Control, vol. 47, no. 9, pp. 1491–1495, Sep. 2002.

[17] S. H. Zad, R. H. Kwong, and W. M. Wonham, “Fault diagnosis in dis-crete-event systems: Incorporating timing information,” IEEE Trans.Autom. Control, vol. 50, no. 7, pp. 1010–1015, Jul. 2005.

Songyan Xu received the B.Tech. and M.S. degreesfrom the Harbin Institute of Technology, Harbin,China, in 2000 and 2002, respectively. She iscurrently working towards the Ph.D. degree inElectrical And Computer Engineering from IowaState University, Ames.

Her research interests include diagnosis, supervi-sory control and state estimation of discrete-eventsystems.

Shengbing Jiang received the B.S. degree in elec-trical engineering from the University of Science andTechnology of China, Hefei, China, in 1987, the M.S.degree in electrical engineering from East China In-stitute of Technology, Nanjing, China, in 1990, andthe Ph.D. degree in electrical engineering from theUniversity of Kentucky, Lexington, in 2002.

He joined General Motors R&D, Warren, MI, in2002. His research interests include formal methods,formal verification, supervisory control, and failurediagnosis of discrete-event and hybrid systems, and

their applications in embedded software design.

Ratnesh Kumar (S’87–M’90–SM’00–F’07) re-ceived the B.Tech. degree in electrical engineeringfrom the Indian Institute of Technology, Kanpur, in1987, and the M.S. and the Ph.D. degrees in elec-trical and computer engineering from the Universityof Texas at Austin, in 1989 and 1991, respectively.

From 1991 to 2002, he was on the faculty of theUniversity of Kentucky, and since 2002, he is on thefaculty of the Iowa State University, Ames. He hasheld visiting position at the Institute of Systems Re-search, University of Maryland at College Park, the

Applied Research Laboratory, Pennsylvania State University, the NASA AmesResearch Center, the Argonne National Laboratory West, and the United Tech-nology Research Center. He is coauthor of Modeling and Control of LogicalDiscrete Event Systems (Kluwer Academic, 1995). His primary research interestis in reactive, real-time, and hybrid systems and their applications to embeddedsoftware, web services, power systems, and autonomous systems.

Dr. Kumar was a recipient of the Microelectronics and Computer Devel-opment (MCD) Fellowship from the University of Texas at Austin, and wasawarded the Lalit Narain Das Memorial Gold Medal for the Best EE Studentand the Ratan Swarup Memorial Gold Medal for the Best All-Rounded Studentfrom the Indian Institute of Technology, Kanpur. He is a recipient of the NSF Re-search Initiation Award, the NASA-ASEE Summer Faculty Fellowship Award.He serves on the program committee for the IEEE Control Systems Society, theInternational Workshop on Discrete Event Systems, and the IEEE Workshopon Software Cybernetics. He is or has been an Associate Editor of the SIAMJournal on Control and Optimization, the IEEE TRANSACTIONS ON ROBOTICS

AND AUTOMATION, the Journal of Discrete Event Dynamical Systems, and theIEEE Control Systems Society.

Documents

Diagnosis of Dense-Time Systems Under Event and Timing Masks